- Open a dedicated settings BrowserWindow with general / login / diagnostics / about tabs
- Persist openAtLogin and keepRunningInBackground via desktop-settings.json; hide main window instead of quitting when background mode is on
- Default API base URL now points to api.shengxintui.com; LoginView and SettingsView share a single constant
- Restore wangyihao session cookies on probe and silent refresh, and accept the legacy http://mp.163.com console origin
- Drop the standalone diagnostics view in favor of the settings tab
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Spawn a separate window per mode keyed by a ?window= query param so each surface keeps its size, devtools, and renderer state independently. Logout now persists the cleared session and switches windows before awaiting the runtime release, avoiding a stale main-window flash on the way out.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Build https://www.163.com/dy/article/<docId>.html when wangyihao tasks finish, and normalize publish-record responses + monitoring alias inputs to surface the same public URL when the doc id is known.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Scheduled probes and reportAccountFailure now request a silent refresh
before marking an account expired, and a missing wangyihao publish
token is classified as ok instead of auth_failure so the cookie-based
refresh path can recover the session.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Snapshot 163.com/126.net cookies on bind/refresh to a userData vault and
restore them when reattaching a session, recover orphan partitions by
matching the detected mediaInfo, verify the bind window via the console
state instead of a generic profile probe, and route token/draft fetches
through the https API origin while opening console pages over http to
match the live editor.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Track an authRevision per local record so a fresh bind cancels in-flight
probes, sync server-confirmed health back into the desktop cache via
reconcileTrackedAccountRemoteState, include verified_at in the upsert
signature, and drop runtime health reports older than the stored
verified_at on the server side.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Inject the YiDun guardian client to obtain ursToken without relying on
window.neg, fetch the publish detail (wemediaId/onlineState/...) before
saving drafts so 100002 "参数错误" stops blocking submit, downgrade
markdown tables to paragraph rows like Baijiahao, and surface friendlier
errors for token, draft and publish-click failures.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Raise the response capture body limit, parse siteName and source
indexes from yuanbao DOM links, merge ordered DOM sources with the
streamed list, and reject runtime/build-diagnostic strings from being
treated as a question.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The 企鹅号 console returns 200 even when the session is silently expired,
so probe/silent-refresh/console-open now require detect() to return an
account whose identity matches the bound one. Surface a localized
"授权已过期" prompt in the renderer when the new
desktop_account_session_expired error bubbles up.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Replace the masssend HTTP path with a Playwright-driven editor flow that
clicks "群发" and resolves the publish response, then polls appmsgpublish
for the public mp.weixin.qq.com/s URL. When the dialog asks for admin
verification / scan-code authorization, swallow it as a successful draft
save and surface fallback_reason=publish_authorization_required so the
operator can finish from the console. Also broaden token extraction in
account-binder and treat the draft list URL (cgi-bin/appmsg) as the
console landing page.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
"内容由AI生成" tripped Wangyihao's AIGC review and parked drafts under
manual screening. Switch to "个人观点,仅供参考" so legitimate posts move
through normal moderation.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Drafts previously stopped at the草稿箱 step, leaving the operator to publish
manually. Chain a /cgi-bin/masssend call, then poll the appmsgpublish list
(by title and by latest) to extract the mp.weixin.qq.com/s public link
and a publish_id. Surface dedicated failures for publish and link-missing
states, and switch the result payload to publish_type="publish" with the
appmsgpublish manage URL.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Bind callbacks now stamp the runtime account as health=live with a fresh
verified_at and seed the health record via markTrackedAccountBound, so the
UI doesn't show a just-bound account as 尚未校验 while waiting for the next
probe. Also let force probes bypass the cached-result short-circuit so the
manual 重新校验 button always re-runs the probe.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Naked /cgi-bin/home redirects to the login page even with a live cookie,
which made probe/refresh/verify mis-classify accounts as expired. Resolve
the tokenized console URL via mp.weixin.qq.com first, then read the page
state to detect 登录超时/未登录 banners and reuse detectWeixinGzh to confirm
identity. Open-console also now lands on the tokenized URL.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The MP draft API sometimes returns appMsgId as a number or under the
appmsgid alias; coerce both shapes before treating the response as a
success. Also extend the platform auth adapter to recognize 登录超时/
请重新登录 wording so the runtime drives the account back to re-auth.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
These ByteDance asset CDNs ship images and static docs that are not real
citations, so they pollute the monitoring source list. Filter them at both
buildSourceItem and dedupe stages, and add unit coverage via an exported
test-only helper bag.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Why: avoid showing accounts as not-live during stale-window probes; keep publish gating consistent with runtime view.
- collapse FIRST_PROBE window so initial probe runs immediately
- skip due-probe selection when a probe is already queued/in-flight
- mirror auth-state→health projection on both client report and tenant ingest paths
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Server callback now rejects succeeded submissions without a non-empty answer,
or whose answer contains [citation:N] markers without any sources. Desktop
adapters mirror this client-side: kimi returns unknown when sources arrive
without a final answer, and yuanbao returns unknown when the answer has
unresolved citation markers. Yuanbao also unwraps redirect URLs, harvests
citations from more DOM attributes and document URL fields, drops links
pointing back at yuanbao itself, and dedupes overlapping streaming
fragments. Runtime controller forwards only an explicit "succeeded" status
as success; anything else becomes failed.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The deepseek adapter pulls in electron/main when registering ipc listeners,
which made the test fail at import time outside the electron runtime. Stub
ipcMain with vi.mock so the unit test can load the module under vitest.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Use the account session for imagex apply/upload/commit so the requests carry
the same cookies/UA the bind console saw, instead of falling out of the
session via a bare Node fetch — bytedance imagex was rejecting these as
unauthenticated under the bound session. Also align the binding console URL
with the v2 publish article path.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Replace serial probe-on-lock with a bounded probe queue (concurrency 3) that
adds a "queued" probe state, manual cooldown, and retry backoff. After each
probe the runtime debounces a batched POST to the new
/desktop/accounts/health-reports endpoint so the server learns about live,
expired, and risk transitions without waiting for a re-bind. Adds an
account-scoped IPC (probeRuntimeAccount + runtimeAccountSnapshot) so the
renderer can refresh a single row instead of replaying the full snapshot,
and exposes the resulting "重新校验" action in AccountsView/AiPlatformsView.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The v3 manage URL has been retired and now redirects through a login
gate, breaking the post-publish "管理" deeplink and login detection.
Switch the binding console URL and the adapter SOHU_MANAGE_URL to the
v4 contentManagement endpoints, and synthesize external_article_url for
publish (not draft) results from the article id and account uid so the
publish list can offer a "查看文章" link without an extra fetch.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Generate the desktop client_id deterministically from OS machine identifiers
(IOPlatformUUID / MachineGuid / /etc/machine-id) scoped per
tenant+workspace+user, with a persisted UUID fallback when the OS lookup
fails. The renderer now requests the id over a new IPC bridge instead of
keeping a localStorage UUID, so reinstalls and storage clears no longer
fork into duplicate clients. Server enforces the id as required and
rejects empty/malformed UUIDs. Also harden bootstrap reveal flow and
single-instance exit so a second launch focuses the existing window.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Periodically polls runtime snapshot for accounts in expired/revoked/challenge_required states and reflects the count via tray badge, macOS dock badge, and Windows overlay icon so users see authentication problems without opening the app.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- Detect zol login redirects via passport/service hostnames and verify
console access by re-detecting the bound account so a different logged
in user is treated as expired instead of active.
- Skip networkPic upload for local/private URLs and fall back to file
upload (with siteType retry) so desktop-hosted assets no longer reach
ZOL as unreachable links and produce blank images.
- Surface zol_content_image_upload_failed and challenge errors instead
of silently substituting empty image URLs.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
When a public asset URL fails (e.g. stale signed token), retry via the
new /api/desktop/content/assets endpoint with the desktop Bearer token
so editor images keep rendering across token rotations.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- Detect qiehao's real-name auth blocking response (code/message) in the
desktop adapter, surface a Chinese-friendly summary, and propagate the
detail through the failure result.
- Extract a shared publisher-errors module so the renderer can normalize
these messages for the publish task table without duplicating regex.
- Pre-process article HTML for qiehao before upload via a new
packages/publisher-platforms/src/qiehao.ts entry point.
- Update the manual self-test notes for jianshu and qiehao with the
latest results.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Jianshu's HTML editor strips uploaded <img> tags during save, so previously
uploaded images vanished from the rendered article. After image upload,
convert each <img> (and surrounding <p> wrappers) to a markdown image block
in both the desktop and extension publish paths so the references survive.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Wire sohuhao, wangyihao, juejin, smzdm, weixin-gzh, zol, and dongchedi
into the publish runtime: each ships its own publish protocol and
auth-failure classifier (login/token/challenge codes) plus registry
entries in selectPublishAdapter and the auth adapter map. Smzdm bind
detection now triple-falls-back across page-context fetch, session
fetch, cookie fetch, and a final cookie-derived account so the
nickname-less guest profile still resolves to a stable platform UID.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Introduce a reusable helper that produces upload-ready blobs for
adapters that share the same image-asset semantics (dongchedi,
sohuhao, wangyihao, weixin-gzh, zol). Centralizes URL candidate
expansion and passthrough mime detection so each adapter focuses on
its own publish protocol.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Replace the 1.8s polling interval with a 650ms tick plus a debounced
navigation-driven detect, listen for page-title-updated to catch SPA
transitions, and flush the session asynchronously. The bind handler
now optimistically seeds the runtime account list via
noteRuntimeAccountBound and fires the full server refresh in the
background, so the UI reflects the new binding without waiting on a
round-trip.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Wire bilibili and qiehao (om.qq.com) into the publish adapter registry
and auth-failure classifier. Bilibili bind uses WBI-signed space-info
fallback to retrieve the avatar when nav lacks a face URL, and the
account list image renders with a no-referrer policy so bilibili CDN
serves the avatar cross-origin.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Baijiahao does not consistently render the previous flex-based faux table
markup, so reduce tables to plain <p> rows separated by three nbsp gaps
to keep tabular content visible after publish.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Wires up Baijiahao (百家号) and Jianshu (简书) as first-class desktop
publish targets, with risk-control prompts surfaced in the runtime
controller and a normalized error message in publish records. Adds
external-link buttons in the publish management table, an asset
format conversion endpoint for cover image compatibility, and
reorders publish-status display priority so failures take precedence
over partial successes.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Decode Wenxin reference redirect targets so citation URLs land on the
real source host, and broaden the reference/search field patterns to
pick up webPages-style payloads.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Pull Kimi's "搜索网页" panel results into the regular citation source
flow, drop the dedicated-citation-panel branch on the server side, and
unwrap Kimi redirect URLs so citation source items resolve to the real
target host.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- Normalize provider_model so UI shows DeepSeek/DeepSeek-R1 instead of raw toggle text (联网搜索 etc.)
- Unwrap DeepSeek redirect URLs (chat.deepseek.com/api/redirect?url=...) to canonical sources
- Expand reasoning sections and separate reasoning search pages from answer-body citations
- Improve webpages-trigger click heuristics and auxiliary link filtering in answer rendering
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Publish is now treated as the runtime foreground channel and AI
monitoring as background. A new in-memory publish-scheduler owns queue
selection, per-platform active locks, and 3-6s post-completion platform
cooldowns.
The runtime controller tracks lease-in-flight per kind so a monitor
lease no longer blocks a publish lease, derives total concurrency from
hardware class, current process health, and an optional
GEO_DESKTOP_MAX_TOTAL_CONCURRENCY override, and reserves a publish slot
when budgeting monitor capacity. Monitor admission returns zero whenever
publish has backlog or an in-flight lease, so a cooldown-blocked publish
queue still prevents monitor from consuming the foreground reserve.
Runtime diagnostics expose publishScheduler alongside monitorScheduler.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Drop the nested WebContentsView and host the renderer on the main
BrowserWindow's own webContents. Removes the manual bounds sync plumbing
and the extra webContents lifecycle that was only ever a child of the
main window.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Move CDPTargetDescriptor and the reclaim predicate out of
playwright-cdp.ts into a dedicated module so the reclamation rule can be
unit-tested in isolation and reused without pulling in the whole hidden
browser manager.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- desktop: new DeepSeek page adapter and monitor registry
- desktop: extract generic AI auth helpers into shared module and
skip binding when challenge signals are present
- admin-web: render DeepSeek HTML answers with inline citation anchors
and surface reference-number badges on source cards
- server: fall back to inline_links/source_panel_links and read
text/siteName fields when extracting DeepSeek citations
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Introduces the Wenxin (文心一言) monitoring adapter and registers it in
the runtime controller and adapter index. Adds a new risk_control
failure classification with custom classifiers for Doubao and Wenxin
that recognize rate-limit, 频控 and 访问环境异常 signals, and propagates
this state through account-health, runtime activity alerts, and the
renderer views so users see "触发风控" instead of a generic challenge
message on the Home, Accounts, and AI Platforms screens.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Replaces the stale API-client flow with a CDP-driven page session that
bootstraps the chat UI, captures streaming responses, and extracts the
answer from both the network log and the DOM. Adds mojibake repair for
UTF-8-over-latin1 encoding drift returned by the site, picks the higher
quality source/DOM answer, and tightens source/citation extraction.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Add heuristics to distinguish keyword fragments from substantive answers,
enforce a grace period before returning incomplete content, and mark timed-out
or reasoning-only captures as unknown so later passes can re-collect.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- reset stale in_progress tasks owned by a client on startup, offline, and lease expiry
- monitor tasks re-queue for another pick; publish tasks move to unknown for manual reconcile
- send startup=true flag on first heartbeat so the server can trigger recovery
- finalize the linked desktop task when a phase2 monitor callback arrives via desktop_tasks path
- short-circuit the desktop monitor attempt write after the callback already finalized it
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- implement kimi/yuanbao monitor adapters with dedicated citation panel detection
- detect Kimi session via kimi-auth cookie during account binding
- harden hidden Playwright and bound windows with skipTaskbar/focusable/hiddenInMissionControl to stop stealing focus
- tag hidden bootstrap windows with a unique token so CDP retention resolves the correct page
- enable yuanbao/kimi/wenxin platforms in dev-seed and default monitoring quota
- update kimi loginUrl to www.kimi.com
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Replace SSE /desktop/events with priority AMQP dispatch for monitoring
runs, and add phase1/phase2 infrastructure so desktop workers can lease,
resume, report, skip, and cancel monitoring tasks over the existing
dispatch WebSocket.
- Add monitoring collect outbox worker and phase2 desktop task fields
- Add /desktop/monitoring/tasks/{lease,resume,result,skip,cancel} routes
- Introduce execution-devtools and network-observer on desktop runtime
- Refactor runtime-controller, LoginView, and doubao adapter for the new flow
- Add channelName column to tracking views
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>